A method of securing communication between an access network and a core network

(19)

(11)

EP 1 843 541 A1

(12)	EUROPEAN PATENT APPLICATION

(43)	Date of publication:
	10.10.2007 Bulletin 2007/41

(21)	Application number: 06290572.4

(22)	Date of filing: 03.04.2006

(51)

International Patent Classification (IPC):

H04L 29/06^(2006.01)

H04L 12/28^(2006.01)

(84)	Designated Contracting States:
	AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR
	Designated Extension States:
	AL BA HR MK YU

(71)	Applicant: Alcatel Lucent
	75008 Paris (FR)

(72)	Inventors:
	De Juan Huarte, Frederico 75014 Paris (FR) Conte, Alberto 75014 Paris (FR)

(74)	Representative: Richardt, Markus Albert
	Patentanwalt Leergasse 11 65343 Eltville am Rhein 65343 Eltville am Rhein (DE)

(54)	A method of securing communication between an access network and a core network

(57) The invention relates to a method of securing communication between an access network and a core network, wherein the access network and the core network are comprised in a communication network, wherein the access network comprises an agent, wherein the core network comprises a server and a trust server, and wherein the method comprises the step of receiving a request from the agent at the core network, wherein the request relates to a node which is served by the agent, wherein the request requests information about the node from the server. The method further comprises the step of requesting confirmation from the trust server if the node has been previously authenticated against the communication network and the step of sending the information requested from the server to the agent if the node has been previously authenticated against the communication network and the step of denying sending the information if the node has not been previously authenticated against the communication network. In other aspects, the invention relates to an access network, to a core network, to communication network component of the core network, to an agent and to a computer program product.

Description

Field of the invention

[0001] The invention relates to a method of securing communication between an access network and a core network, to a core network, to an access network, to components of the access network and the core network and to a computer program product for performing operations to secure communication between the access network and the core network.

Background and related art

[0002] A communication network is usually divided into an access network and into a core network. An access network is a network that connects users, for example subscribers of a telecommunication service provider, to the actual service provider, whose functionality is comprised in the core network. For connection to the access network the user typically employs a user end device, such as a mobile phone, a mobile terminal, a PDA, a computer or any other device which is connectable to a communication network. The user end device can be regarded as a node connected to and served by the communication network.

[0003] The internet protocol (IP) is nowadays the standard protocol that is employed within communication networks. However this protocol and all the protocols associated with it, for example DHCP (dynamic host configuration protocol), MIP (mobile IP), or IGMP (internet gateway multicast protocol) present two major inconvenient features for deployment in public communication networks. One inconvenient feature is that the intelligence is in the end points, in the terminal and in the core network, and the other inconvenient feature is that the control plain shares the same data path as the data plain.

[0004] The aspect that the intelligence is in the end points is awkward for a public operator due to the cost of provisioning, maintaining, upgrading and guaranteeing security against a wide base of subscribers. In the core network, the core user session and mobility management are controlled and in the access network, the traffic aggregation takes place. It is a common decomposition for any type of function to locate a server in the core network and an agent in the access network. For instance, in DHCP, there is a DHCP server in the core network and a DHCP relay in the access network, for IGMP, there is an IGMP server in the core network and an IGMP proxy in the access network, and for MIP, there is a home agent in the core network and a foreign agent in the access network.

[0005] The other aspect mentioned is that the control plain shares the same data path as the data plain. This is the source of multiple security and privacy concerns because the control plain network elements are accessible to the simplest user traffic. Therefore, a huge effort is spent in designing security models and frameworks that allow to protect the network infrastructure. However, the solutions available to date differ largely. For example there are IGMP deployments with no security mechanisms proposed. For the context of DHCP the document RFC3118 which can be obtained from www.ietf.org has been proposed but it has not made it to the commercial market yet. A fully fledged security model is in place for MIP but to the cost of heavy dependency on the terminal.

[0006] It is aimed for an improved method of securing communication between an access network and a core network, an improved core network, an improved access network, an improved agent, an improved communication network component as well as improved computer program products for performing operations to secure communication between an access network and a core network.

Summary of the invention

[0007] In accordance with an embodiment of the invention, there is provided a method of securing communication between an access network and a core network, wherein the access network and the core network are comprised in a communication network, wherein the access network comprises an agent, wherein the core network comprises a server and a trust server, and wherein the method comprises the step of receiving a request from the agent at the core network, wherein the request relates to a node, wherein the node is served by the agent, wherein the request requests information about the node from the server. The method further comprises the step of requesting confirmation from the trust server if the node has been previously authenticated against the communication network and the step of sending the information requested by the agent from the server to the agent if the node has been previously authenticated against the communication network. The method further comprises the step of denying sending the information if the node has not been previously authenticated against the communication network.

[0008] The information which is comprised in the request can also refer to a demand by which the agent asks the server if the agent can authorize the node to perform an operation. The demand is granted if confirmation is given by the server. Thus the information sent by the server relates to an approval of the demand. If the information is not sent, then the demand is not approved.

[0009] The server who is requested to provide the agent with information about the node only partially trusts the agent, since the server requests from the trust server if the node has been previously authenticated against the network. Only if this is the case, meaning that the node has been previously authenticated, it forwards the information to the agent. Since the access network relates typically to a specific region or to a specific location, the server validates before sending the information to the access network that the node is indeed served in that location.

[0010] The method in accordance with the invention is particularly advantageous as there is no dependency on the node, which can relate to a terminal, anymore. Once the node has been authenticated against the communication network, the communication is secured between the access network and the core network by requesting the trust server if that node has been previously authenticated. The terminal itself is not needed anymore for ensuring secure communication between the access network and the core network. The method in accordance with the invention is furthermore advantageous as it provides a much simpler model to provide security in the communication between the access network and the core network that relates to a node served by the access network, when the client functionality is proxied in the access network.

[0011] In accordance with an embodiment of the invention, the method further comprises the steps of authenticating the node against the communication network by the trust server and assigning the agent to the node.

[0012] In accordance with an embodiment of the invention, the method further comprises forwarding the confirmation from the trust server to the server. The node is initially authenticated against the communication network by use of the EAP protocol (extensible authentication protocol). In this context the trust server is an EAP server. The method in accordance with the invention is particularly advantageous because the authentication solution which is employed to authenticate initially the node against the communication network by use of the EAP protocol is used as well for ensuring the communication between the access network and the core network since the EAP server is requested if the node has been previously authenticated against the communication network. Hence the server does not need to maintain multiple security associations per user or per node with associated shared secrets, lifetimes, or sequence numbers since only the initial authentication carried out by the EAP server is validated.

[0013] In accordance with an embodiment of the invention, the method further comprises the step of receiving the request from the agent, wherein the request comprises an authenticator identifier, wherein the authenticator identifier relates to an authenticator of the access network. The method in accordance with the invention furthermore comprises the step of requesting confirmation from the trust server that the authenticator has been employed for a previous authentication of the node.

[0014] In accordance with an embodiment of the invention, the method further comprises the step of comparing the authenticator identifier with a second authenticator identifier stored in the trust server, wherein the second authenticator identifier relates to the authenticator which has authenticated the node previously. The method further comprises the step of confirming that the authenticator is indeed the authenticator that has previously authenticated the node if the authenticator identifier equals the second authenticator identifier, the step of sending the information requested by the agent from the server to the agent if the authenticator identifier equals the second authenticator identifier, and the step of denying sending the information if said authenticator identifier does not equal the second authenticator identifier. The authenticator is the agent in the access network that relates to the authentication server. It is basically double checked if the node is indeed the originally authenticated node first by requesting confirmation from the trust server if the agent is serving the node and second by requesting confirmation if the authenticator is still serving the node. The access network and the authenticator typically relate to a specific location area. A location area in the context of mobile communication networks refers to a group of adjacent radio cells. A group of adjacent radio cells can be understood as a plurality of adjacent cells of a mobile communication network. A cell of a mobile communication network is for example given by the coverage of a base station which is the area that is covered or served by a base station.

[0015] The method in accordance with the invention is furthermore particularly advantageous as by checking that the serving authenticator of the node has not changed, it is furthermore ensured that the location area of the node has remained the same.

[0016] In accordance with an embodiment of the invention, the communication network is a mobile communication network. A mobile communication network can be for example be a wireless telecommunications network.

[0017] In accordance with an embodiment of the invention, the agent is a foreign agent of a mobile internet protocol (MIP) network. A MIP network is a mobile communication network which employs the MIP protocol.

[0018] In accordance with an embodiment of the invention, the server is a home agent of the mobile communication protocol (MIP) network.

[0019] In accordance with an embodiment of the invention, the trust server is an extensible authentication protocol (EAP) server.

[0020] In accordance with an embodiment of the invention, the mobile communication network is employing the IEEE802.16 (WIMAX) standard for communication with the mobile station.

[0021] In accordance with an embodiment of the invention, the mobile communication network is employing the IEEE802.11X (WLAN) standard for communication with the mobile station.

[0022] In accordance with an embodiment of the invention, the node refers to an end user device such as a cell phone, a portable computer, a computer, a PDA, or any other portable device having a network connection.

[0023] In accordance with an embodiment of the invention, the agent is a DHCP (dynamic host configuration protocol) relay or proxy.

[0024] In accordance with an embodiment of the invention, the server is a DHCP server.

[0025] In accordance with an embodiment of the invention, the agent is an IGMP proxy and the server is an IGMP server.

[0026] In another aspect the invention relates to a method of securing communication between an access network and a core network, wherein the access network and the core network are comprised in a communication network, wherein the access network comprises an agent and an authenticator, wherein the core network comprises a server and a trust server, wherein the method comprises the step of sending a request from the agent to the server, wherein the request relates to a node that has been authenticated against the communication network, wherein the node is served by the agent, wherein the request requests information about the node from the server, wherein the request further comprises an authenticator identifier, wherein the authenticator identifier relates to the authenticator and the step of receiving the information from the server.

[0027] The method in accordance with the invention is particularly advantageous as by the request sent to the server by the agent, the authenticator identifier of the authenticator of the access network is included. The authenticator identifier can be employed to validate the location from which the message is sent.

[0028] In another aspect the invention relates to a core network that can be coupled to an access network, wherein the access network comprises an agent, wherein the core network comprises a server and a trust server, wherein the core network further comprises means for receiving a request from the agent, wherein the request relates to a node, wherein the node is served by the agent, wherein the request requests information about the node from the server. The core network further comprises means for requesting confirmation from the trust server that the node has been previously authenticated, means for sending the information requested by the agent from the server to the agent if the node has been previously authenticated and means for denying sending the information if the node has not been previously authenticated.

[0029] In accordance with an embodiment of the invention, the core network further comprises means for authenticating the node against the communication network by the trust server and means for assigning the agent to the node.

[0030] In accordance with another embodiment of the invention, the communication network further comprises means for forwarding the confirmation from the trust server to the server.

[0031] In accordance with an embodiment of the invention, the core network further comprises means for receiving the request from the agent, wherein the request comprises an authenticator identifier, wherein the authenticator identifier relates to an authenticator of the access network and means for requesting confirmation from the trust server that the authenticator has been employed for a previous authentication of the node.

[0032] In accordance with an embodiment of the invention, the core network further comprises means for comparing the authenticator identifier with a second authenticator identifier stored in the trust server, wherein the second authenticator identifier relates to the authenticator which has authenticated the node previously. The core network further comprises means for confirming that the authenticator is indeed the authenticator that has authenticated the node previously if the authenticator identifier equals the second authenticator identifier. The core network further comprises means for sending from the server to the agent the information requested by the agent if the authenticator identifier equals the second authenticator identifier and means for denying sending the information if the authenticator identifier does not equal the second authenticator identifier.

[0033] In accordance with an embodiment of the invention, the node authenticated against the core network and the access network is a mobile node relating to a mobile station or to an end user device in general.

[0034] In accordance with an embodiment of the invention, the core network and the access network are comprised in a communication network. The communication network can for example be a mobile communication network.

[0035] In accordance with an embodiment of the invention, the core network, the access network and the mobile station employ the IEEE802.16 (WIMAX) standard for communication. Alternatively they employ the IEEE802.11 (WLAN) standard.

[0036] In another aspect the invention relates to an access network, said access network comprising an agent and an authenticator, said access network being connectable to a core network, said core network comprising a server and a trust server, and said access network further comprises means for sending a request to the server, wherein the request relates to a node, wherein the node is served by the agent, wherein the request requests information about the node from the server, wherein the request further comprises an authenticator identifier, wherein the authenticator identifier relates to the authenticator and means for receiving the information from the server.

[0037] In another aspect the invention relates to an agent, wherein the agent is comprised in an access network of a communication network, wherein the communication network further comprises a core network, wherein the access network comprises an authenticator, wherein the core network comprises a server and a trust server, and wherein the agent further comprises means for sending a request to the server, wherein the request relates to a node authenticated against the communication network, wherein the node is served by the agent, wherein the request requests information about the node from the server, wherein the request further comprises an authenticator identifier, wherein the authenticator identifier relates to the authenticator. The agent further comprises means for receiving the information from the server.

[0038] In another aspect the invention relates to a communication network component, wherein the communication network component is comprised in a core network of a communication network, wherein the core network further comprises a server and a trust server, wherein the communication network further comprises an access network, wherein the access network comprises an agent, and wherein the communication network component comprises means for receiving a request from the agent, wherein the request relates to a node, wherein the node is served by the agent, wherein the request requests information about the node from the server and means for requesting confirmation from the trust server that the node has been previously authenticated against the communication network. The communication network component further comprises means for sending the information requested by the agent from the server to the agent if the node has been previously authenticated against the communication network and means for denying sending said node if the node has not been previously authenticated against the communication network.

[0039] In another aspect the invention relates to a computer program product comprising computer executable instructions for securing communication between an access network and a core network, wherein the access network and the core network is comprised in a communication network, wherein the access network comprises an agent, wherein the core network comprises a server and a trust server, and wherein the instructions are adapted to perform the steps of receiving a request from the agent of the core network, wherein the request relates to a node, wherein the node is served by the agent, wherein the request requests information about the node from the server and of requesting confirmation from the trust server that the node has been previously authenticated against the communication network. The instructions further are adapted to perform the steps of sending the information requested by the agent from the server to the agent if the node has been previously authenticated against the communication network and of denying sending the information if the node has not been previously authenticated against the communication network.

[0040] In another aspect the invention relates to a computer program product comprising computer executable instructions for securing communication between an access network and a core network, wherein the access network and the core network is comprised in a communication network, wherein the access network comprises an agent, wherein the core network comprises a server and a trust server, wherein instructions are adapted to perform the steps of sending a request to the server, wherein the request relates to a node authenticated before against the communication network, wherein the node is served by the agent, wherein the request requests information about the node from the server, wherein the request further comprises an authenticator identifier, wherein the authenticator identifier relates to the authenticator and of receiving the information from the server.

Brief description of the drawings

[0041] In the following preferred embodiments of the invention will be described in greater detail by way of example only making reference to the drawings in which:

Figure 1: is a block diagram of a mobile communication network and a mobile station,
Figure 2: is a flow diagram depicting the basic steps performed by the method in accordance with the invention.

Detailed description

[0042] Fig. 1 shows a block diagram 100 illustrating schematically a communication network 102 that is connected to a node 116. The communication network 102 comprises a core network 104 and an access network 106. The core network 104 comprises a server 108, a network component 128, and a trust server 110. The access network 106 comprises an agent 112 and an authenticator 118. The access network and the core network are connected by the communication link 122. The access network is connected to the node 116 via the communication link 124.

[0043] The communication link 124 is typically a wireless communication link between the node 116 and a base station (not shown) of a communication network and a wired link between the base station and the access network 106. The communication link 122 is for example a secured wired communication link between the access network 106 and the core network 104.

[0044] In operation, the server receives a request 114 from the agent. The request relates to the node 116 which is served by the agent 112. The request 114 requests information 126 about the node from the server 108. After reception of the request 114, the server requests confirmation from the trust server 110 if the node 116 has been previously authenticated against the communication network 102. If the node 116 has been authenticated by the communication network 102, then the server sends the information 126 requested by the agent to the agent 112. If the node 116 has not been authenticated by the communication network 102, then the information 126 is not sent by the server 108 to the agent 112.

[0045] The node 116 is initially authenticated against the communication network 102 via the authenticator 118 by the trust server 110. The initial authentication process that takes place between the node 116, the authenticator 118, and the trust server 110 employs for example the EAP protocol. After the initial authentication has taken place, the node 116 is known to the trust server 110. Furthermore, the trust server 110 'knows' that the authenticator 118 and the agent 112 have been assigned to the node 116. Thus, the server 108 can always confirm that the node 116 has been authenticated before by requesting confirmation from the trust server 110.

[0046] The authenticator 118 has been assigned to the node 116 in the initial authentication process. The authenticator 118 is identifiable by an authenticator identifier 120. The agent 112 can add the authenticator identifier 120 to the request 114 before sending the request to the server 108. The trust server 110 knows that the authenticator 118 has been initially assigned during the initial authentication to the node 116 and the authenticator identifier 120 of the authenticator 118 can for example be stored on the trust server 110. After reception of the request 114 the server 118 can request the trust server 110 if the authenticator 118 has indeed been employed for a previous authentication of the node 116 by for example comparing the authentication identifier 120 with the stored authentication identifier. If both authenticator identifiers, the authenticator identifier of the request 114 and the authenticator identifier stored in the trust server match, then the information 126 requested by the agent 112 is sent to the agent whereas otherwise the information is not sent to the agent 112.

[0047] In the preceding description of figure 1, the functionality for performing a method in accordance with the invention has been integrated into the server 108. Alternatively the functionality could be integrated into the separate network component 128 which would then be placed between the agent 112 and the server 108 and which would serve to exchange the information 126 between the server 108 and the agent 112 if a request sent by the network component 128 to the trust server 110 would confirm that the node 116 for which the information 126 is demanded has indeed been previously authenticated against the communication network.

[0048] In operation, the network component 128 receives the request 114 from the agent 112. It requests confirmation from the trust server 110 that the node 116 is indeed served by agent 112. If this is the case, the request 114 is further processed to the server 108 which then sends the requested information 126 to the agent 112. If this is not the case, the request 114 is not further processed to the server 108 and as a consequence the information 126 is not given to the agent 112.

[0049] If the request 114 comprises furthermore the authentication identifier 120, then the network component 128 requests the trust server 110 if the authenticator 118 to which the authentication identifier 120 relates is indeed the serving authenticator for the node 116. If this is true then the request 114 is further processed to the server 126 which then provides the agent 112 with the requested information 126. Otherwise the request 114 is not any more forwarded to the server 108 and as a consequence the information 126 is not given to the agent 112.

[0050] Fig. 2 shows a flow diagram 200 illustrating the basic steps performed by the method in accordance with the invention. In step 202, a request from an agent network is received at the core network, wherein the request relates to a node which is served by the agent, and wherein the request requests information about the node from a server of the core network. In step 204 confirmation is requested from a trust server of the core network if the node has been previously authenticated by the trust server against the communication network. In step 206 the initial authentication of the node is either negated or approved by the trust server. If the node has been previously authenticated, then the requested information is sent from the server to the agent as indicated in step 208. Otherwise the requested information is not sent to the agent as indicated in step 210.

List of Reference Numerals

100	Block diagram
102	Communication network
104	Core network
106	Access network
108	Server
110	Trust server
112	Agent
114	Request
116	Node
118	Authenticator
120	Authenticator identifier
122	Communication link
124	Communication link
126	Information
128	Network component
200	Flow diagram
202	Step of reception of request
204	Step of requesting confirmation
206	Step of negating or approving confirmation
208	Step of sending information
210	Step of denying sending the information

Claims

1. A method of securing communication between an access network (106) and a core network (104), said access network (106) and said core network (104) being comprised in a communication network (102), said access network (106) comprising an agent (112), said core network (104) comprising a server (108) and a trust server (110), said method comprising:

- receiving a request (114) from said agent (112) at said core network (104), said request (114) relating to a node (116), said node (116) being served by said agent (112), said request (114) requesting information (126) about said node (116) from said server (108);

- requesting confirmation from said trust server (110) if said node (116) has been previously authenticated against said communication network (112);

- sending said information (126) requested by said agent (112) from said server (108) to said agent (112) if said node (116) has been previously authenticated against said communication network (102);

- denying sending said information (126) if said node (116) has not been previously authenticated against said communication network (102).

2. The method of claim 1, said method further comprising:

- receiving said request (114) from said agent (112), said request (114) comprising an authenticator identifier (120), said authenticator identifier (120) relating to an authenticator (118) of said access network (106);

- requesting confirmation from the said trust server (110) if said authenticator (118) has been employed for a previous authentication of said node (116).

3. The method of claim 2, said method further comprising:

- comparing said authenticator identifier with a second authenticator identifier stored in said trust server, said second authenticator identifier relating to the authenticator that has authenticated said node previously;

- sending said information requested by said agent from said server to said agent if said authenticator identifier equals the second authenticator identifier;

- denying sending said information if said authenticator identifier does not equal the second authenticator identifier.

4. A method of securing communication between an access network (106) and a core network (104), said access network (106) and said core network (104) being comprised in a communication network (102), said access network (106) comprising an agent (112) and an authenticator (118), said core network (104) comprising a server (108) and a trust server (110), and said method comprising:

- sending a request (114) from said agent (112) to said server (108), said request (114) relating to a node (116) authenticated previously against said communication network (102), said node (116) being served by said agent (112), said request (114) requesting information (120) about said node (116) from said server (108), said request (114) further comprising an authenticator identifier (120), said authenticator identifier (120) relating to said authenticator (118);

- receiving said information (126) from said server (108).

5. A core network (104) coupled to an access network (106), said core network comprising a server (108) and a trust server (110), said access network (106) comprising an agent (112), said core network (104) further comprising:

- means for receiving a request (114) from said agent (112), said request (114) relating to a node (116), said node being served by said agent (112), said request (114) requesting information (126) about said node (116) from said server (108);

- means for requesting confirmation from said trust server (110) if said node (116) has been previously authenticated;

- means for sending said information (120) requested by said agent (112) from said server (108) to said agent (112) if said node (116) has been previously authenticated;

- means for denying sending said information (126) if said node has not been previously authenticated.

6. An access network (106) comprising an agent (112) and an authenticator (118), said access network being coupled to a core network (104), said core network (104) comprising a server (108) and a trust server (110), said access network (106) further comprising:

- means for sending a request (114) to said server (108), said request (114) relating to a node (116), said node (116) being served by said agent (112), said request (114) requesting information (126) about said node (116) from said server (108), said request (114) further comprising an authenticator identifier (120), said authenticator identifier (120) relating to said authenticator (118);

- means for receiving said information (126) from said server (108).

7. An agent (112), said agent (112) being comprised in an access network (106) of a communication network (102), said communication network further comprising a core network (104), said access network (106) further comprising an authenticator (118), said core network (104) comprising a server (108) and a trust server (110), said agent (112) further comprising:

- means for sending a request (114) to said server (108), said request (114) relating to a node (116) authenticated against said communication network (102), said node (116) being served by said agent (112), said request (114) requesting information (126) about said node (116) from said server (108), said request (114) further comprising an authenticator identifier (120), said authenticator identifier relating to said authenticator (118);

- means for receiving said information (126) from said server (108).

8. A communication network component (128), said communication network component (128) being comprised in a core network (104) of a communication network (102), said core network (104) further comprising a server (108) and a trust server (110), said communication network (102) further comprising an access network (106), said access network (106) comprising an agent (112), and said communication network component (128) comprising:

- means for receiving a request (114) from said agent (112), said request (114) relating to a node (116), said node (116) being served by said agent (112), said request (114) requesting information about said node (116) from said server (108);

- means for requesting confirmation from said trust server (110) that said node (116) has been previously authenticated against said communication network (102);

- means for sending said information (126) requested by said agent (112) from said server (108) to said agent (112) if said node (116) has been previously authenticated against said communication network (102);

- means for denying sending said information (126) if said node (116) has not been previously authenticated against said communication network (102).

9. A computer program product comprising computer executable instructions for securing communication between an access network (106) and a core network (104), said access network (106) and said core network (104) being comprised in a communication network (102), said access network (106) comprising an agent (112), said core network (102) comprising a server (108) and a trust server (110), said instructions being adapted to performing the steps of:

- receiving a request (114) from said agent at said core network (104), said request (114) relating to a node (116), said node (116) being served by said agent (112), said request (114) requesting information (126) about said node (116) from said server (108);

- requesting confirmation from the said trust server (110) that said node (116) has been previously authenticated against said communication network (102);

- sending said information (126) requested by said agent (112) from said server (108) to said agent (112), if said node (116) has been previously authenticated against said communication network (102);

- denying sending said information (126) if said node (116) has not been previously authenticated against said communication network (102).

10. A computer program product comprising computer executable instructions for securing communication between an access network (106) and a core network (104), said access network (106) and said core network (104) being comprised in a communication network (102), said access network (106) comprising an agent (112), said core network (104) comprising a server (108) and a trust server (110), said instructions being adapted to performing the steps of:

- sending a request (114) to said server (108), said request (114) relating to a node (116) authenticated before against said communication network (102), said node (116) being served by said agent (112), said request (114) requesting information (126) about said node (116) from said server (108), said request (114) further comprising an authenticator identifier (120), said authenticator identifier (120) relating to said authenticator (118);

- receiving said information (126) from said server (108).

Drawing

Search report